
If your ecommerce business sells to customers in California, you must be familiar with the California Consumer Protection Act (CCPA). Since January 1, 2020, companies that interact with California residents have been required to take extra care with what personal information they collect, store, share, and sell.
The basic requirements of the CCPA law include:
- Businesses must disclose what personal information they collect about California residents.
- Businesses must disclose what personal information they share and/or sell about California residents.
- California residents may request copies of any and all of their personal information a business has collected (businesses must comply within 45 days).
- California residents have the right to request that any or all of their personal data collected by a business be corrected or deleted (businesses must comply within 45 days).
- Businesses must disclose to whom they share and/or sell any personal information about Californians.
- Businesses must allow California residents to opt out of the collection, sharing, and/or sale of their personal information. Should someone opt out of data collection and/or sharing, the business cannot treat that individual any differently than someone who did not choose to opt-out.
Failure to comply with these regulations can subject a business to costly fines (up to $7,500) and lawsuits (ranging from $100 to $750 per incident per affected California resident). As with any law, ignorance is no excuse for noncompliance. To protect your ecommerce business from crushing financial penalties, you must be careful about how you collect, store, and share customer and website visitor data.
Personal Information Has a Broad Definition in the CCPA
It is important to pay attention to what qualifies as personal information according to the CCPA. The term ‘personal information’ appears in the text of the CCPA law 586 times. Some personal information are identifiers that a customer may not want being freely sold and shared on the open market.
There are some obvious examples:
- Names.
- Addresses.
- Phone numbers.
- Emails.
- User names.
- Birthdates.
- Government-issued ID numbers (social security numbers, license numbers, etc.).
- Biometric data.
- Employment information.
- Educational background.
- Racial/cultural background.
But the CCPA goes further than that. The law also extends to how Californians use and access digital media. Information such as search histories, browser choices, operating systems, and device types also qualify as personal information under the CCPA. All of these pieces of data are extremely valuable to marketers looking to target advertising and evaluate customer behavior trends.
Historically, this information has been collected without any explicit approval or even awareness that it was happening. With the CCPA, the state of California is following other consumer protection initiatives—like the European Union’s General Data Protection Regulation (GDPR) or Amazon’s Personal Identifying Information policies—designed to give people more control over their digital footprints.
Who Must Follow CCPA Regulations?
The CCPA is not a blanket law that applies to everyone doing business in California. According to the letter of the law, your business must meet one of the following thresholds for the CCPA to apply:
- Annual gross revenues in excess of twenty-five million dollars ($25,000,000).
- Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
If you are a smaller ecommerce brand, particularly one that does not make money by selling customer data, you may not be subject to the CCPA yet. That said, the moment in a given year when your business makes a penny over $25 million or collects the 50,000th customer’s data, you are expected to be fully compliant with all CCPA regulations.
As mentioned previously, failing to comply can be a costly proposition. As your business continues to grow, you must prioritize compliance with these laws to scale seamlessly. This means that if you haven’t already adapted your business practices to align with the CCPA, it’s time to start.

What CCPA Compliance Looks Like for Your Ecommerce Business
CCPA applies to all sorts of companies. However, it is particularly relevant to ecommerce businesses due to the amount of customer data that is used to complete transactions and assess customer behavior. CCPA does not mean that you have to stop these practices; it just means that you need to be sure you are doing so in a way that conforms to the law.
Some of the forward-facing pieces that need to be a part of your CCPA compliance plan should include:
- Visible and accessible notice to consumers that you plan to collect some element(s) of their personal data.
- There should be multiple channels for customers and website visitors to contact your business about accessing, correcting, or deleting their personal data.
- Clear opportunities for consumers and website visitors to opt out of data collection and/or the sale of their personal information.
There are additional considerations when it comes to data collection and information storage. When a customer’s request comes in, you only have a 45-day window to fully comply. In the case of an alleged CCPA violation, you only have 30 days. In that timeframe, you must be able to locate and either deliver or delete all of the information relevant to the request.
If you have to scour multiple databases and applications for each request, it can be easy to waste time—or worse, make a costly error. CCPA compliance needs to be as quick and painless as possible to prevent these requests from stalling productivity.
Your business needs a way to keep customer data centralized, organized, and instantly accessible. This is one of the prime benefits of adopting an omnichannel ecommerce platform like Descartes Sellercloud.
Make CCPA Compliance a Priority for Your Ecommerce Business Now, Not Later
Descartes Sellercloud makes it convenient to record, store, access, and delete relevant customer data. We know how important this type of compliance is and will continue to be to online merchants. Even if your online sales business does not yet meet one of the thresholds that compel you to abide by CCPA, it is best to be prepared.
Odds are that many of the marketplaces where you sell have their own PII requirements that you must adhere to. As you scale, you can be confident that your data tracking and storage protocols align with industry best practices. Our security safeguards and data handling practices have been vetted through tough audits by leading ecommerce marketplaces.
Moreover, when a consumer information request comes in, our omnichannel toolset allows you to access the data and take swift action to process their request.
Schedule a free demo and see for yourself how Descartes Sellercloud can streamline your ecommerce workflows while providing essential compliance features like these.